Veeam has released a security update that addresses multiple critical vulnerabilities in its backup and replication software that could allow remote code execution if successfully exploited.
The vulnerabilities are:
CVE-2026-21666 (CVSS score: 9.9) – Vulnerability that allows authenticated domain users to execute remote code on backup servers. CVE-2026-21667 (CVSS score: 9.9) – Vulnerability that allows authenticated domain users to execute remote code on backup servers. CVE-2026-21668 (CVSS score: 8.8) – A vulnerability that allows authenticated domain users to bypass restrictions and manipulate arbitrary files on backup repositories. CVE-2026-21672 (CVSS score: 8.8) – Local privilege escalation vulnerability in Windows-based Veeam Backup & Replication servers. CVE-2026-21708 (CVSS score: 9.9) – Vulnerability that allows Backup Viewer to execute remote code as the postgres user.
This shortcoming affecting Veeam Backup & Replication 12.3.2.4165 and all previous version 12 builds has been resolved in version 12.3.2.4465. CVE-2026-21672 and CVE-2026-21708 were also fixed in Backup & Replication 13.0.1.2067, along with two additional critical security flaws.
CVE-2026-21669 (CVSS score: 9.9) – Vulnerability that allows authenticated domain users to execute remote code on backup servers. CVE-2026-21671 (CVSS Score: 9.1) – A vulnerability that allows an authenticated user with the Backup Administrator role to perform remote code execution in a Veeam Backup & Replication high availability (HA) deployment.
“It is important to note that once a vulnerability and its associated patch are made public, attackers will likely attempt to reverse engineer the patch and exploit unpatched Veeam software deployments,” the company said in its advisory.
Vulnerabilities in Veeam software have been repeatedly exploited by threat actors to carry out ransomware attacks in the past, so it is imperative that users update their instances to the latest version to protect against potential threats.
Source link
